Library of Congress

Note: External links, forms and search boxes may not function within this collection

« Back to Law Archives

minimize

Legal Blawgs Web Archive Collection

This is an archived Web site from the Library of Congress

http://privacylaw.proskauer.com/

Archived: 10/02/2008 at 17:51:43

first First (02/07/2008)    previous Previous  #9 of 26  Next next    Last (12/02/2009) last entry

Posted on September 26, 2008 by Christopher Wolf

Broadband Providers Commit to Self-Regulatory Affirmative Consumer Consent Before Behavioral Tracking

Behavioral tracking of consumers online in order to deliver relevant advertising is a privacy issue that is receiving a lot of attention, and one that has been the focus of Federal Trade Commission and consumer group scrutiny. On September 25th, the United States Senate Commerce Committee held a hearing on online privacy and received commitments from the three industry representatives (from AT&T, Verizon and Time Warner Cable) that if they do deploy technologies that are able to track consumer online behavior in order to tailor advertising, that consumers will have clear notice and a full opportunity to provide affirmative consent. None of the companies currently use such technologies in their roles as Internet Service Providers. The broadband providers challenged the rest of the online industry, including web site operators and application providers such as Google, to provide the same protections to consumers. Essentially, the witnesses called for an end to "opt out" when it comes to online advertising.

Continue Reading...
Tags: , , , , , , , , , , , , ,
Posted on September 24, 2008 by S. Montaye Sigmon

Leaving Las Vegas . . . IF Encrypted

A Nevada law requiring encryption of customer personal information goes into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970 (2007). While the legislation is short in length, it is potentially wide-ranging in scope. In particular, the legislation requires any "business in this State" to encrypt an electronic transmission (other than via facsimile) of "any personal information of a customer" to "a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission." Id.

 

Continue Reading...
Tags: , , , , ,
Posted on September 17, 2008 by Scott J. Carpenter

California's Financial Information Privacy Act Affiliate Sharing Provisions Narrowly Survive Complete Preemption

On September 4, 2008, in American Bankers Association v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008), the Ninth Circuit Court of Appeals revived part of the California Financial Information Privacy Act (“S.B. 1”), allowing consumers to opt-out of certain information-sharing activities between financial institutions and their affiliates. Previously, in the 2005 case American Bankers Ass'n. v. Gould, 412 F.3d 1081 (9th Cir. 2005), the Ninth Circuit ruled that the state statute was preempted by provisions of the Fair Credit Reporting Act (“FCRA”) regarding affiliate sharing of “consumer report” information.  The recent 2-1 decision preserves consumers’ rights under California law to restrict affiliate data-sharing related to non-consumer report information.

Continue Reading...
Tags: , , , , , , ,
Posted on September 5, 2008 by Natalie Newman

Affiliate Marketing Rule Alert: Compliance Deadline is October 1, 2008

Section 214 of Fair and Accurate Credit Transactions Act (“FACTA") was enacted to amend the Fair Credit Reporting Act (the “Act”) to give consumers the right to restrict certain entities from using certain information received from their affiliates to make solicitations to that consumer unless the consumer has been provided (1) “clear and conspicuous” notice that the consumer’s information will be shared for such purposes, and (2) an opportunity to opt out of having such information shared for such purposes.   

On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration issued a joint final rule (along with the Federal Trade Commission (FTC) and the Securities and Exchange Commission(SEC), which separately adopted and proposed, respectively, similar regulations) under the amended Act (the “Affiliate Marketing Rule” or “Final Rule,” codified at 12 C.F.R. Parts 41, 222, 334, 571 and 717) governing the use of specific consumer information obtained by covered entities from their affiliates for certain marketing purposes. 

The Affiliate Marketing Rule became effective on January 1, 2008, and compliance by covered entities is required by October 1, 2008.

Continue Reading...
Tags: , , , , , ,
Posted on August 29, 2008 by Sara Krauss

HHS Enters Into First Monetary Settlement Under HIPAA

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.

Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.

Continue Reading...
Tags: , , , ,
Posted on August 25, 2008 by Clifford Davidson

449 Data Breaches Reported this Year

There have been 449 data breaches reported in media in 2008, according to the Identity Theft Resource Center’s 2008 Data Breach List.  That number exceeds the 2007 year-end total, and counts as only one breach even massive incidents such as the Hannaford Bros. breach.  Note that some of the breaches in the 2008 list were reported in 2008 but occurred in earlier years. 

The public availability of the breach information reported by media and catalogued in the Data Breach List is a direct result of the data breach notification laws of 44 states.  As a reminder, the most recent list of state data breach laws is available here on the Proskauer on Privacy blog.

Tags: ,
Posted on August 18, 2008 by Joseph K. Wright

Prying Eyes Make Headlines

 

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential. 

 

The Los Angeles Times recently reported that over 120 employees viewed the medical records and personal information of approximately 900 celebrity patients at UCLA Medical Center between April 2003 and May 2007. According to the latest report, the unauthorized snooping continued even after the facility cracked down on peeking employees in April.

Continue Reading...
Tags: , , , , , , ,
Posted on August 12, 2008 by Timothy P. Tobin

"Boring" Couple Want to Stay That Way

Google Inc. (“Google”) has filed a motion to dismiss a complaint by a Pittsburgh couple, Aaron and Christine Boring (“the Borings”), over Google’s alleged invasion of the Borings’ privacy through Google’s Street View service. Launched last May, Street View provides a navigable, 360-degree view from the streets of many U.S. cities, including Pittsburgh. 

The Borings have sued for invasion of privacy, trespass, negligence and unjust enrichment and seek damages from mental suffering and diminished property value. In their complaint, the Borings argue that Google recklessly invaded their reasonable expectation of privacy by trespassing onto their property, passing a sign reading “Private Road, No Trespassing.” From the Borings’ driveway, Google captured exterior images of the Borings’ residence and swimming pool that Google made visible with Street View.

 

Continue Reading...
Tags: , , , , ,
Posted on August 7, 2008 by Kristen J. Mathews

CT's New SSN Law Is Third 0f Its Kind

A host of state laws require that companies take measures to protect the confidentiality of the Social Security Numbers that they possess regarding employees and consumers. But Connecticut’s new law, “AN ACT CONCERNING THE CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS,” requires more. 

Continue Reading...
Tags: , ,
Posted on August 7, 2008 by Tanya Forsheit

Red Flag Alert -- Compliance Deadline is November 1, 2008

According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft.  Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs.  The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.  You can read more about Red Flags in this Client Alert.
Tags: , , , , , , , , ,